RE: AuthN CA middleware support [Fwd: [caops-wg] Draft Agenda]
David O'Callaghan wrote on 11 May 2006 14:42:
Hi Jens et al.,
Hi David,
On 11.05.06 12:53, Jensen, J (Jens) wrote:
Regardless of whether "we" build a validation authority or add to the middleware validation, someone still needs to build the validation code, and the language to specify what you want. The language should allow for checking not just policy oid but also key size and individual extensions, etc, IMHO. And be simple enough that anyone can implement an acceptance policy - no XML, no binary encodings.
I've been working on something like this and I hope to have the opportunity to describe it at the next EU Grid PMA meeting. The acceptance policy uses a Scheme-style S-Expression format, which admittedly has a lot in common with XML.
Interesting. Do you have an implementation, or is it design at this stage? It ought to be possible to glue guile and OpenSSL together to evaluate it. Personally, I'd much much rather write an S-expression than write an XACML-style policy document by hand... but then I am fluent in lisp so YMMV. I think we need an IGTF working group on this. We need to get requirements from the RPs as well. At the TAGPMA meeting, David G said he'd set up a policy WG, with expressions of interest received from Tony and Scott, and *cough* myself.
And as I mentioned earlier, if we add it to the middleware, it is best to go as far upstream as possible - OpenSSL ideally, or Globus. Document may need tweaking depending on where we go.
It will also need to work with other libraries, such as Bouncy Castle which is used for Java-based software (e.g. in gLite).
Definitely. But if OpenSSL has it, others are more likely to follow, I hope. If we need things changed, the further upstream it is changed, the wider the effect will be, but there is no single source. As long as it's compatible with other libraries in the interim. Didn't EGEE contribute Globus proxy validation code to OpenSSL? Cheers, --jens
"Jensen, J \(Jens\)" writes:
I think we need an IGTF working group on this. We need to get requirements from the RPs as well. At the TAGPMA meeting,
Some of us have been thinking about this for quite a while - we have a mailing list for it, validity@es.net, and if you want to bring some of your ideas to it that would be very welcome. email to: listserver@listmin.es.net subject: subscribe validity@es.net, [email address] body: [leave blank] send in ascii text, no pgp or cert sigs and the rest is automatic. Since these instructions often fail due to local fiddling with email list management, if you have any problems please forward them to postmaster@es.net as well as me. We have focused on certain requirements - mainly, hiding infrastructure such as complex PKI; and on protocols that are extensible, such as XKMS and SCVP, but without thinking too much about what purposes they would be extended. I have been of the camp that thinks that OCSP might be just good enough for the purposes we had in mind, but as soon as people start thinking about evaluating levels of assurance or other policy details then I think that invalidates that idea, and OCSP will be a component of some more sophisticated service. We have certainly not focused on details(*) of how the service would be presented to the management and admin side of the set of stakeholders, which is very important and the ideas here are very useful - they also influence the requirements for the service as a whole. [(*) except for some preliminary discussions about managing proxy cert info]. One thing that happens when a lot of policy info becomes important for evaluation is that fine structure probably appears in the service, that is there are both universal qualities that need to be validated, and purely local qualities. That is individual trust domains will look different from each other, potentially, so they either need their own validation service or at least one that is customizable for them, and the rules in each trust domain will be different and have different effects on the grid users that appear there. We can collapse away one side of this if we have to, but do we have to - should we? You should also be aware - probably you all are - that David Chadwick has proposed some kind of cert validation service in the ogsa-authz space. I know just a little about this but I haven't been able to take advantage of the one moment when we were at the same space-time coordinates to talk with him about it. It seems to be a much, much more ambitious concept, and probably what we have in mind - certainly what I'm talking about - has a much smaller scope. However, once you start down the road of validating policy and usage you are drifting into his territory. Probably an XACML or XACML-friendly service is what he has in mind. I'd like to repost some of the recent messages about this to validity@es.net - if anyone has any objection to that please let me know. Regards, ==mwh
participants (2)
-
Jensen, J (Jens) -
Mike Helm